Wednesday, September 16, 2009

Timeline - SMB2 Remote Exploit for Vista & 2008 (CVE-2009-3103)

On Sept 7th, Laurent Gaffié released a security advisory and a Proof of Concept code on his blog that generated a B.S.O.D in Windows Vista, Server 2008 array indexing error in the srv2.sys kernel driver. This can be exploited to dereference out-of-bounds memory via a specially crafted SMB packet.

On Sept 8th, Microsoft released Security Advisory (975497) indicating they were investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation. Microsoft listed the following affected software: Windows Vista (Gold, SP1 & SP2); Windows 2008 SP2. Windows 7 is listed as not affected...interestingly enough. It appears Microsoft fixed the flaw in Windows 7 build ~7130, just after RC1.

On Sept 8th, CVE-2009-3103 was assigned to the bug and security researchers begin to see that this wasn't just a simple DoS...but was much more.

On Sept 10th, Pusscat posted an analysis on her VRT Sourcefire blog summarizing her and HD Moore's initial work on exploiting the vulnerability.

During Sept 10th - 11th, you have what my friend |)ruid calls '"how many ways can we open a socket" PoC rewriteathon' - java, perl, python, ruby, c, bash, expect, get the idea...then it turns into a race...who can get remote execution first?

On Sept 14th, security company Immunity released a local privilege-escalation attack module for its CANVAS pen-test tool.

On Sept 15th, Kostya Korchinsky, a senior security researcher @ Immunity stated on his blog that he has created a remote SMB2 exploit (translated to English). CANVAS is a commercial tool, therefore the remote exploit code is not currently public....but if Kostya can do it, we can be certain that a number of blackhats can get it to work (and they may already have a working remote exploit). According to Dave Aitel, the exploit works for Vista and 2008!

Fast forward to today, Sept 16th, and we all are awaiting Microsoft's next move...many are expecting an out-of-band patch release...and given the current situation, it would seem like a smart thing to do. Sadly for Microsoft, out-of-band patches are become more and more of a necessity to properly protect customers...

At this point, if you are running Windows Vista or Windows 2008, it is recommended to evaluate the workaround choices outlined by Microsoft...and implement them if possible.


Big thanks to Druid & Todb for helping me fill in some of the timeline....


  1. What? You mean that a monthly patch schedule seems to be flawed??? Imagine that...

  2. A little background on the rewriteathon:

    Silliness, by and large.